{"id":42512,"date":"2015-04-13T12:35:07","date_gmt":"2015-04-13T19:35:07","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=42512"},"modified":"2025-06-08T19:06:58","modified_gmt":"2025-06-09T02:06:58","slug":"vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/","title":{"rendered":"VaultCrypt Ransomware Hides Its Traces While Stealing Web Credentials"},"content":{"rendered":"<p>Since the beginning of the year we have seen a spike in ransomware including the emergence of new ransomware families. One family that has recently resurfaced is Vaultcrypt. This variant both tidies up after itself and steals web page login data.<\/p>\n<h2><strong>Infection vector<\/strong><\/h2>\n<p>The malware arrives on a victim&#8217;s machine through a spam email containing an attachment, as shown in this Russian example:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/18.png\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-42513 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/18.png\" alt=\"1\" width=\"431\" height=\"452\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/18.png 431w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/18-286x300.png 286w\" sizes=\"auto, (max-width: 431px) 100vw, 431px\" \/><\/a><\/p>\n<p>The attachment is a zip file containing a malicious JavaScript file. The script file may look like this:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/24.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-42514 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/24.jpg\" alt=\"2\" width=\"599\" height=\"568\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/24.jpg 599w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/24-300x284.jpg 300w\" sizes=\"auto, (max-width: 599px) 100vw, 599px\" \/><\/a><\/p>\n<p>The JavaScript contains strings such as \u201cchecked and scanned by Avast antivirus\u201d to reassure users and appear legitimate. When a user\u00a0executes the JavaScript file, it downloads a malicious .bat file along with some other files stored in %temp%. After successfully downloading the files, the JavaScript executes the batch file, which renames the downloaded files as shown:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/33.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-42515\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/33.jpg\" alt=\"3\" width=\"455\" height=\"166\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/33.jpg 455w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/33-300x109.jpg 300w\" sizes=\"auto, (max-width: 455px) 100vw, 455px\" \/><\/a><\/p>\n<p>The malware installs the tool GnuPG (GNU Private Guard), an open-source encryption utility. GnuPG generates an RSA-1024 public and private key pair to encrypt files with the following extensions:<\/p>\n<ul>\n<li>.cd<\/li>\n<li>.mdb<\/li>\n<li>.1cd<\/li>\n<li>.dbf<\/li>\n<li>.sqlite<\/li>\n<li>.jpg<\/li>\n<li>.zip<\/li>\n<li>.7z<\/li>\n<li>.psd<\/li>\n<li>.dwg<\/li>\n<li>.cdr<\/li>\n<li>.pdf<\/li>\n<li>.rtf<\/li>\n<li>.xls<\/li>\n<li>.doc<\/li>\n<\/ul>\n<p>This following screen shows the commands:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/42.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-42516\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/42.jpg\" alt=\"4\" width=\"927\" height=\"373\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/42.jpg 927w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/42-300x121.jpg 300w\" sizes=\"auto, (max-width: 927px) 100vw, 927px\" \/><\/a><\/p>\n<p>The malware does not encrypt files in the following folders:<\/p>\n<ul>\n<li>windows<\/li>\n<li>temp<\/li>\n<li>recycle<\/li>\n<li>program<\/li>\n<li>appdata<\/li>\n<li>avatar<\/li>\n<li>roaming<\/li>\n<li>msoffice<\/li>\n<li>McAfee<\/li>\n<\/ul>\n<p>This screen illustrates:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/56.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-42517\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/56.png\" alt=\"5\" width=\"1102\" height=\"80\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/56.png 1102w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/56-300x22.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/56-1024x74.png 1024w\" sizes=\"auto, (max-width: 1102px) 100vw, 1102px\" \/><\/a><\/p>\n<p>After successfully encrypting the files, the malware drops a .txt file onto the user\u2019s desktop. The .txt file contains instructions, in Russian, on how to pay the ransom and decrypt the files.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/62.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-42518\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/62.jpg\" alt=\"6\" width=\"999\" height=\"580\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/62.jpg 999w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/62-300x174.jpg 300w\" sizes=\"auto, (max-width: 999px) 100vw, 999px\" \/><\/a><\/p>\n<p>The malware also executes an HTML application (.hta) containing the instructions for the user to pay the ransom:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/74.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-42519\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/74.png\" alt=\"7\" width=\"1278\" height=\"723\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/74.png 1278w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/74-300x170.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/74-1024x579.png 1024w\" sizes=\"auto, (max-width: 1278px) 100vw, 1278px\" \/><\/a><\/p>\n<p>After completing the encryption process, the malware deletes itself and all other files that were used for encryption with the Microsoft Sysinternals tool SDelete, which overwrites the deleted files or cleans the free space on a logical disk, thus making it difficult to recover those files. The following image illustrates this:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/attachment\/vault-key-p-16\" rel=\"attachment wp-att-42608\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-42608\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Vault.Key-p-16.jpg\" alt=\"Vault.Key -p 16\" width=\"792\" height=\"167\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Vault.Key-p-16.jpg 792w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Vault.Key-p-16-300x63.jpg 300w\" sizes=\"auto, (max-width: 792px) 100vw, 792px\" \/><\/a><\/p>\n<p>As we see in the preceding image, the malware uses the switch &#8220;\u2013p 16,&#8221; which causes 16 overwrite passes. With these repeated overwrites, it is nearly impossible to recover those deleted files using recovery tools. The following image shows the files the tool deletes.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/86.png\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-42520 aligncenter\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/86.png\" alt=\"8\" width=\"415\" height=\"708\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/86.png 415w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/86-176x300.png 176w\" sizes=\"auto, (max-width: 415px) 100vw, 415px\" \/><\/a><\/p>\n<p>Meanwhile, the malware downloads the <a href=\"http:\/\/securityxploded.com\/browser-password-dump.php\">Browser Password Dump<\/a> tool, from SecurityXploded, from its control server. This tool extracts the victim&#8217;s stored login credentials from most web browsers. The malware uploads the stolen user credentials to its control server.<\/p>\n<p>Here\u2019s a look at the traffic:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/attachment\/vault-key-tcp-stream\" rel=\"attachment wp-att-42609\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-42609\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Vault.Key-TCP-stream.png\" alt=\"Vault.Key TCP stream\" width=\"1537\" height=\"602\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Vault.Key-TCP-stream.png 1537w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Vault.Key-TCP-stream-300x118.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Vault.Key-TCP-stream-1024x401.png 1024w\" sizes=\"auto, (max-width: 1537px) 100vw, 1537px\" \/><\/a><\/p>\n<p>McAfee products detect the batch file as BAT\/CrypVault and the JavaScript file as JS\/CrypVaultDown with DAT Version 7765 and later.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since the beginning of the year we have seen a spike in ransomware including the emergence of new ransomware families&#8230;.<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,76,338,180],"coauthors":[3973],"class_list":["post-42512","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybercrime","tag-endpoint-protection","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>VaultCrypt Ransomware Hides Its Traces While Stealing Web Credentials | McAfee Blog<\/title>\n<meta name=\"description\" content=\"A recent ransomware variant of Vaultcrypt both tidies up after itself and steals the victim&#039;s web page login data.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"VaultCrypt Ransomware Hides Its Traces While Stealing Web Credentials | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"A recent ransomware variant of Vaultcrypt both tidies up after itself and steals the victim&#039;s web page login data.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2015-04-13T19:35:07+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-09T02:06:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/18.png\" \/>\n\t<meta property=\"og:image:width\" content=\"431\" \/>\n\t<meta property=\"og:image:height\" content=\"452\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/\"},\"author\":{\"name\":\"McAfee\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\"},\"headline\":\"VaultCrypt Ransomware Hides Its Traces While Stealing Web Credentials\",\"datePublished\":\"2015-04-13T19:35:07+00:00\",\"dateModified\":\"2025-06-09T02:06:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/\"},\"wordCount\":431,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/18.png\",\"keywords\":[\"computer security\",\"cybercrime\",\"endpoint protection\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/\",\"name\":\"VaultCrypt Ransomware Hides Its Traces While Stealing Web Credentials | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/18.png\",\"datePublished\":\"2015-04-13T19:35:07+00:00\",\"dateModified\":\"2025-06-09T02:06:58+00:00\",\"description\":\"A recent ransomware variant of Vaultcrypt both tidies up after itself and steals the victim's web page login data.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/18.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/18.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"VaultCrypt Ransomware Hides Its Traces While Stealing Web Credentials\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\",\"name\":\"McAfee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"caption\":\"McAfee\"},\"description\":\"We're here to make life online safe and enjoyable for everyone.\",\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/x.com\/McAfee\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"VaultCrypt Ransomware Hides Its Traces While Stealing Web Credentials | McAfee Blog","description":"A recent ransomware variant of Vaultcrypt both tidies up after itself and steals the victim's web page login data.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"VaultCrypt Ransomware Hides Its Traces While Stealing Web Credentials | McAfee Blog","og_description":"A recent ransomware variant of Vaultcrypt both tidies up after itself and steals the victim's web page login data.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2015-04-13T19:35:07+00:00","article_modified_time":"2025-06-09T02:06:58+00:00","og_image":[{"width":431,"height":452,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/18.png","type":"image\/png"}],"author":"McAfee","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/"},"author":{"name":"McAfee","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa"},"headline":"VaultCrypt Ransomware Hides Its Traces While Stealing Web Credentials","datePublished":"2015-04-13T19:35:07+00:00","dateModified":"2025-06-09T02:06:58+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/"},"wordCount":431,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/18.png","keywords":["computer security","cybercrime","endpoint protection","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/","name":"VaultCrypt Ransomware Hides Its Traces While Stealing Web Credentials | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/18.png","datePublished":"2015-04-13T19:35:07+00:00","dateModified":"2025-06-09T02:06:58+00:00","description":"A recent ransomware variant of Vaultcrypt both tidies up after itself and steals the victim's web page login data.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/18.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/18.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/vaultcrypt-ransomware-hides-its-traces-while-stealing-web-credentials\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"VaultCrypt Ransomware Hides Its Traces While Stealing Web Credentials"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa","name":"McAfee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","caption":"McAfee"},"description":"We're here to make life online safe and enjoyable for everyone.","sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/x.com\/McAfee"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/42512","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/674"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=42512"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/42512\/revisions"}],"predecessor-version":[{"id":215274,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/42512\/revisions\/215274"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=42512"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=42512"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=42512"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=42512"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}